Merge pull request #1 from fmichellonet/features/services-configuration

services configuration & authorize attribute

Author: fmichellonet

src/AzureFunctions.Extensions.OpenIDConnect.sln.DotSettings

@@ -0,0 +1,2 @@
+<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=ID/@EntryIndexedValue">ID</s:String></wpf:ResourceDictionary>

src/AzureFunctions.Extensions.OpenIDConnect/ApiAuthenticationService.cs renamed to src/AzureFunctions.Extensions.OpenIDConnect/AuthenticationService.cs

@@ -5,44 +5,30 @@
     using System.Security.Claims;
     using System.Threading.Tasks;
     using Microsoft.AspNetCore.Http;
-    using Microsoft.Extensions.Options;
     using Microsoft.IdentityModel.Tokens;
 
     /// <summary>
     /// Encapsulates checks of bearer tokens in HTTP request headers.
     /// </summary>
-    internal class ApiAuthenticationService : IApiAuthentication
+    internal class AuthenticationService : IAuthenticationService
     {
+        private readonly TokenValidationParameters _tokenValidationParameters;
         private readonly IAuthorizationHeaderBearerTokenExtractor _authorizationHeaderBearerTokenExractor;
-
         private readonly IJwtSecurityTokenHandlerWrapper _jwtSecurityTokenHandlerWrapper;
-
-        private readonly IOidcConfigurationManager _oidcConfigurationManager;
-
-        private readonly string _issuerUrl;
-        private readonly string _issuer;
-        private readonly string _audience;
-
-        private readonly string _nameClaimType;
-        private readonly string _roleClaimType;
-
-        public ApiAuthenticationService(
-            IOptions<OidcApiAuthSettings> apiAuthorizationSettingsOptions,
+        private readonly IOpenIdConnectConfigurationManager _openIdConnectConfigurationManager;
+        
+        public AuthenticationService(
+            TokenValidationParameters tokenValidationParameters,
             IAuthorizationHeaderBearerTokenExtractor authorizationHeaderBearerTokenExractor,
             IJwtSecurityTokenHandlerWrapper jwtSecurityTokenHandlerWrapper,
-            IOidcConfigurationManager oidcConfigurationManager)
+            IOpenIdConnectConfigurationManager openIdConnectConfigurationManager)
         {
-            _issuerUrl = apiAuthorizationSettingsOptions?.Value?.IssuerUrl;
-            _issuer = apiAuthorizationSettingsOptions?.Value?.Issuer ?? _issuerUrl;
-            _audience = apiAuthorizationSettingsOptions?.Value?.Audience;
-            _nameClaimType = apiAuthorizationSettingsOptions?.Value?.NameClaimType ??  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier";
-            _roleClaimType = apiAuthorizationSettingsOptions?.Value?.RoleClaimType ?? "http://schemas.microsoft.com/ws/2008/06/identity/claims/roleidentifier";
-
+            _tokenValidationParameters = tokenValidationParameters;
             _authorizationHeaderBearerTokenExractor = authorizationHeaderBearerTokenExractor;
 
             _jwtSecurityTokenHandlerWrapper = jwtSecurityTokenHandlerWrapper;
 
-            _oidcConfigurationManager = oidcConfigurationManager;
+            _openIdConnectConfigurationManager = openIdConnectConfigurationManager;
         }
 
         /// <summary>
@@ -57,12 +43,11 @@ public ApiAuthenticationService(
         public async Task<ApiAuthenticationResult> AuthenticateAsync(
             IHeaderDictionary httpRequestHeaders)
         {
-            bool isTokenValid = false;
+            var isTokenValid = false;
             ClaimsPrincipal principal = new ClaimsPrincipal();
 
-            string authorizationBearerToken = _authorizationHeaderBearerTokenExractor.GetToken(
-                httpRequestHeaders);
-            if (authorizationBearerToken == null)
+            var bearerToken = _authorizationHeaderBearerTokenExractor.GetToken(httpRequestHeaders);
+            if (bearerToken == null)
             {
                 return new ApiAuthenticationResult(principal,
                     "Authorization header is missing, invalid format, or is not a Bearer token.");
@@ -80,7 +65,7 @@ public async Task<ApiAuthenticationResult> AuthenticateAsync(
                     // then a fresh set of signing keys are retrieved from the OpenID Connect provider
                     // (issuer) cached and returned.
                     // This method will throw if the configuration cannot be retrieved, instead of returning null.
-                    isserSigningKeys = await _oidcConfigurationManager.GetIssuerSigningKeysAsync();
+                    isserSigningKeys = await _openIdConnectConfigurationManager.GetIssuerSigningKeysAsync();
                 }
                 catch (Exception ex)
                 {
@@ -92,25 +77,12 @@ public async Task<ApiAuthenticationResult> AuthenticateAsync(
                 try
                 {
                     // Try to validate the token.
+                    
 
-                    var tokenValidationParameters = new TokenValidationParameters
-                    {
-                        RequireSignedTokens = true,
-                        ValidAudience = _audience,
-                        ValidateAudience = true,
-                        ValidIssuer = _issuer,
-                        ValidateIssuer = true,
-                        ValidateIssuerSigningKey = true,
-                        ValidateLifetime = true,
-                        IssuerSigningKeys = isserSigningKeys,
-                        NameClaimType = _nameClaimType,
-                        RoleClaimType = _roleClaimType
-                    };
+                    _tokenValidationParameters.IssuerSigningKeys = isserSigningKeys;
 
                     // Throws if the the token cannot be validated.
-                    principal = _jwtSecurityTokenHandlerWrapper.ValidateToken(
-                        authorizationBearerToken,
-                        tokenValidationParameters);
+                    principal = _jwtSecurityTokenHandlerWrapper.ValidateToken(bearerToken,_tokenValidationParameters);
 
                     isTokenValid = true;
                 }
@@ -124,7 +96,7 @@ public async Task<ApiAuthenticationResult> AuthenticateAsync(
                     // Then we retry by asking for the signing keys and validating the token again.
                     // We only retry once.
 
-                    _oidcConfigurationManager.RequestRefresh();
+                    _openIdConnectConfigurationManager.RequestRefresh();
 
                     validationRetryCount++;
                 }

src/AzureFunctions.Extensions.OpenIDConnect/AuthorizeFilter.cs

@@ -0,0 +1,46 @@
+namespace AzureFunctions.Extensions.OpenIDConnect
+{
+    using System.Net;
+    using System.Threading;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Http;
+    using Microsoft.Azure.WebJobs.Host;
+
+    public class AuthorizeFilter : FunctionInvocationFilterAttribute
+    {
+        private readonly IHttpContextAccessor _httpContextAccessor;
+        private readonly IAuthenticationService _authenticationService;
+        private readonly IRouteGuardian _routeGuardian;
+
+        public AuthorizeFilter(IHttpContextAccessor httpContextAccessor, IAuthenticationService authenticationService, IRouteGuardian routeGuardian)
+        {
+            _httpContextAccessor = httpContextAccessor;
+            _authenticationService = authenticationService;
+            _routeGuardian = routeGuardian;
+        }
+
+        public override async Task OnExecutingAsync(FunctionExecutingContext executingContext, CancellationToken cancellationToken)
+        {
+            if (await _routeGuardian.ShouldAuthorize(executingContext.FunctionName))
+            {
+                var httpContext = _httpContextAccessor.HttpContext;
+
+                // Authenticate the user
+                var authResult = await _authenticationService.AuthenticateAsync(httpContext.Request.Headers);
+
+                if (authResult.Failed)
+                {
+                    await Unauthorized(httpContext, cancellationToken);
+                    return;
+                }
+            }
+            await base.OnExecutingAsync(executingContext, cancellationToken);
+        }
+
+        private async Task Unauthorized(HttpContext httpContext, CancellationToken cancellationToken)
+        {
+            httpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+            await httpContext.Response.WriteAsync(string.Empty, cancellationToken);
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect/AzureFunctions.Extensions.OpenIDConnect.csproj

@@ -28,11 +28,12 @@ Works with popular identity providers including Auth0, Azure AD B2C, Azure AD, G
     <Message Importance="high" Text="NuspecProperties: $(NuspecProperties)" />
   </Target>
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Http.Features" Version="3.1.8" />
+    <PackageReference Include="Microsoft.AspNetCore.Http.Features" Version="3.1.12" />
     <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
+    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Http" Version="3.0.12" />
     <PackageReference Include="Microsoft.Extensions.Options" Version="3.1.8" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="6.7.1" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.7.1" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.7.1" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="6.8.0" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.8.0" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.8.0" />
   </ItemGroup>
 </Project>

src/AzureFunctions.Extensions.OpenIDConnect/Configuration/ConfigurationBuilder.cs

@@ -0,0 +1,47 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.Tokens;
+
+namespace AzureFunctions.Extensions.OpenIDConnect.Configuration
+{
+
+    public class ConfigurationBuilder
+    {
+        private readonly IServiceCollection _services;
+        private bool _hasConfigurationManagerSettings;
+        private bool _hasTokenValidationParameters;
+
+        internal bool IsValid => _hasTokenValidationParameters && _hasConfigurationManagerSettings;
+
+        internal ConfigurationBuilder(IServiceCollection services)
+        {
+            _services = services;
+        }
+
+        public void SetTokenValidation(string audience, string issuer)
+        {
+            SetTokenValidation(TokenValidationParametersHelpers.Default(audience, issuer));
+        }
+
+        public void SetTokenValidation(TokenValidationParameters settings)
+        {
+            _services.AddSingleton(settings);
+            _hasTokenValidationParameters = true;
+        }
+        
+        public void SetIssuerBaseUrlConfiguration(string issuerUrl)
+        {
+            SetConfigurationManagerSettings(ConfigurationManagerSettings.FromIssuerBaseAddress(issuerUrl));
+        }
+
+        public void SetIssuerMetadataConfigurationEndpoint(string metadataUrl)
+        {
+            SetConfigurationManagerSettings(ConfigurationManagerSettings.WithSpecificConfigurationEndpoint(metadataUrl));
+        }
+
+        private void SetConfigurationManagerSettings(ConfigurationManagerSettings settings)
+        {
+            _services.AddSingleton(settings);
+            _hasConfigurationManagerSettings = true;
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect/Configuration/ConfigurationManagerSettings.cs

@@ -0,0 +1,31 @@
+using System;
+
+namespace AzureFunctions.Extensions.OpenIDConnect.Configuration
+{
+    internal class ConfigurationManagerSettings
+    {
+        public static string DefaultOpenidConfigurationEndPoint = ".well-known/openid-configuration";
+
+        public Uri MetadataAddress { get; }
+
+        private ConfigurationManagerSettings(string metadataAddress)
+        {
+            if(string.IsNullOrEmpty(metadataAddress))
+            {
+                throw new ArgumentNullException(nameof(metadataAddress));
+            }
+
+            MetadataAddress = new Uri(metadataAddress);
+        }
+
+        public static ConfigurationManagerSettings FromIssuerBaseAddress(string baseUrl)
+        {
+            return new ConfigurationManagerSettings($"{baseUrl}{DefaultOpenidConfigurationEndPoint}");
+        }
+
+        public static ConfigurationManagerSettings WithSpecificConfigurationEndpoint(string metadataEndpointUrl)
+        {
+            return new ConfigurationManagerSettings(metadataEndpointUrl);
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect/Configuration/ServicesConfigurationExtensions.cs

@@ -0,0 +1,51 @@
+namespace AzureFunctions.Extensions.OpenIDConnect.Configuration
+{
+    using System;
+    using Microsoft.Azure.WebJobs.Host;
+    using Microsoft.Extensions.DependencyInjection;
+
+    public static class ServicesConfigurationExtensions
+    {
+        public static void AddOpenIDConnect(this IServiceCollection services, string issuer, string audience)
+        {
+            Action<ConfigurationBuilder> configurator = builder =>
+            {
+                builder.SetTokenValidation(TokenValidationParametersHelpers.Default(audience, issuer));
+
+                builder.SetIssuerBaseUrlConfiguration(issuer);
+            };
+
+            AddOpenIDConnect(services, configurator);
+        }
+
+        public static void AddOpenIDConnect(this IServiceCollection services, Action<ConfigurationBuilder> configurator)
+        {
+            if (configurator == null)
+            {
+                throw new ArgumentNullException(nameof(configurator));
+            }
+
+            var builder = new ConfigurationBuilder(services);
+            configurator(builder);
+
+            if (!builder.IsValid)
+            {
+                throw new ArgumentException("Be sure to configure Token Validation and Configuration Manager");
+            }
+
+            // These are created as a singletons, so that only one instance of each
+            // is created for the lifetime of the hosting Azure Function App.
+            // That helps reduce the number of calls to the authorization service
+            // for the signing keys and other stuff that can be used across multiple
+            // calls to the HTTP triggered Azure Functions.
+
+            services.AddHttpContextAccessor();
+            services.AddSingleton<IAuthorizationHeaderBearerTokenExtractor, AuthorizationHeaderBearerTokenExtractor>();
+            services.AddSingleton<IJwtSecurityTokenHandlerWrapper, JwtSecurityTokenHandlerWrapper>();
+            services.AddSingleton<IOpenIdConnectConfigurationManager, OpenIdConnectConfigurationManager>();
+            services.AddSingleton<IAuthenticationService, AuthenticationService>();
+            services.AddSingleton<IRouteGuardian, RouteGuardian>();
+            services.AddSingleton<IFunctionFilter, AuthorizeFilter>();
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect/Configuration/TokenValidationParametersHelpers.cs

@@ -0,0 +1,23 @@
+using Microsoft.IdentityModel.Tokens;
+
+namespace AzureFunctions.Extensions.OpenIDConnect.Configuration
+{
+    public static class TokenValidationParametersHelpers
+    {
+        public static TokenValidationParameters Default(string audience, string issuer)
+        {
+            return new TokenValidationParameters
+            {
+                RequireSignedTokens = true,
+                ValidateIssuerSigningKey = true,
+                ValidateLifetime = true,
+
+                ValidateAudience = true,
+                ValidAudience = audience,
+
+                ValidateIssuer = true,
+                ValidIssuer = issuer
+            };
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect/IApiAuthentication.cs renamed to src/AzureFunctions.Extensions.OpenIDConnect/IAuthenticationService.cs

@@ -3,7 +3,7 @@
     using System.Threading.Tasks;
     using Microsoft.AspNetCore.Http;
 
-    public interface IApiAuthentication
+    public interface IAuthenticationService
     {
         Task<ApiAuthenticationResult> AuthenticateAsync(IHeaderDictionary httpRequestHeaders);
     }

src/AzureFunctions.Extensions.OpenIDConnect/IOidcConfigurationManager.cs renamed to src/AzureFunctions.Extensions.OpenIDConnect/IOpenIDConnectConfigurationManager.cs

@@ -4,7 +4,7 @@
     using System.Threading.Tasks;
     using Microsoft.IdentityModel.Tokens;
 
-    internal interface IOidcConfigurationManager
+    internal interface IOpenIdConnectConfigurationManager
     {
         /// <summary>
         /// Returns the cached signing keys if they were retrieved previously.

src/AzureFunctions.Extensions.OpenIDConnect/IRouteGuardian.cs

@@ -0,0 +1,9 @@
+namespace AzureFunctions.Extensions.OpenIDConnect
+{
+    using System.Threading.Tasks;
+
+    public interface IRouteGuardian
+    {
+        Task<bool> ShouldAuthorize(string functionName);
+    }
+}